Alan: > The supplicant is sending a certificate that the server doesn't recognize. I have turned off everything I can find on the windows box about verifying certs and the like but still no joy. Is there a way to tell the FreeRADIUS box to accept the cert?
> What "strange things" show up in the log? Is it a secret? No, no secrets just the following weirdness: ------------------------------------- rad_recv: Access-Request packet from host 10.11.30.5 port 32853, id=253, length=164 User-Name = "umhb\\test1" NAS-IP-Address = 10.11.30.5 NAS-Port = 641 Called-Station-Id = "00-0F-7D-09-73-20:Temp" Calling-Station-Id = "00-17-C4-F0-75-C8" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 1Mbps/36Mbps 802.11g" EAP-Message = 0x0200000f01756d68625c7465737431 Message-Authenticator = 0x149047682e6d36b8bc634cfa08e39088 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Calling-Station-Id = 00-17-C4-F0-75-C8 rlm_perl: Added pair Called-Station-Id = 00-0F-7D-09-73-20:Temp rlm_perl: Added pair Message-Authenticator = 0x149047682e6d36b8bc634cfa08e39088 rlm_perl: Added pair User-Name = umhb\\test1 rlm_perl: Added pair EAP-Message = 0x0200000f01756d68625c7465737431 rlm_perl: Added pair Connect-Info = CONNECT 1Mbps/36Mbps 802.11g rlm_perl: Added pair NAS-IP-Address = 10.11.30.5 rlm_perl: Added pair NAS-Port = 641 rlm_perl: Added pair Framed-MTU = 1400 ++[perl] returns ok [suffix] No '@' in User-Name = "umhb\ est11", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Identity does not match User-Name, setting from EAP Identity. [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [umhb\\\test1] (from client Sanderford port 641 cli 00-17-C4-F0-75-C8) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> umhb\ est11 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 56 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 56 Sending Access-Reject of id 253 to 10.11.30.5 port 32853 Waking up in 4.9 seconds. Cleaning up request 56 ID 253 with timestamp +14627 ------------------------------------- The user (me) types in umhb\test1, but for some reason the server sees umhb\\test1 which gets expanded into umhb\ est11. There is even a umhb\\\test1 in there! I know this has got to be a MS thing as it works perfectly with Linux .. probably mac too as they are linux based. Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html